GCP Professional Cloud Security Engineer Practice Question
An insurance company subject to GDPR will run nightly Spark jobs against customer PII. Corporate policy states that (1) data must never leave the European Union, (2) data at rest must be encrypted with customer-managed keys, and (3) compute instances must have no direct Internet exposure. You need to design the processing environment on Google Cloud with minimal operational overhead. Which solution satisfies every control?
Create an internal-only Dataproc cluster in europe-west3, store all data in a regional Cloud Storage bucket in europe-west3 protected by a Cloud KMS CMEK key, apply the gcp.resourceLocations organization policy to EU regions, and provide outbound Internet access through Cloud NAT.
Build a private GKE cluster in europe-west1, mount a multi-region EU Cloud Storage bucket with default encryption, and allow nodes to access package repositories via their own external IP addresses.
Deploy a managed instance group of Compute Engine VMs with public IPs in us-central1, store data in a multi-region EU Cloud Storage bucket encrypted with Google-managed keys, and block unwanted traffic using firewall rules.
Run Cloud Dataflow jobs in us-west1, keep datasets in a BigQuery US multi-region dataset encrypted with CMEK, and isolate projects with VPC Service Controls.
Using a Dataproc cluster avoids managing the OS and Spark stack while still giving fine-grained control over network configuration. Creating the cluster in a single EU region (e.g., europe-west3) and selecting the "internal IP only" option ensures no public IP addresses are assigned. Storing the raw and processed data in a regional Cloud Storage bucket in the same EU region preserves data residency, and attaching a Cloud KMS-managed CMEK key fulfils the customer-managed encryption requirement. Enforcing the organization policy constraint gcp.resourceLocations prevents accidental resource creation outside approved EU regions, while Cloud NAT lets the private cluster download required packages without exposing public IPs. The other options violate at least one control: they place resources in US regions, use Google-managed keys, or expose instances directly to the public Internet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Dataproc and how does it support Spark jobs?
Open an interactive chat with Bash
What is a Cloud KMS CMEK key and why is it suitable for encrypting data at rest?
Open an interactive chat with Bash
How does Cloud NAT provide outbound Internet access while preserving private IPs?
Open an interactive chat with Bash
What is GDPR and how does it affect cloud architecture?
Open an interactive chat with Bash
What is a Cloud Storage bucket and why is using a regional bucket important in this case?
Open an interactive chat with Bash
How does Cloud NAT ensure secure internet access for private resources in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .